diff options
| author |   henning <henning@openbsd.org> | 2008-07-24 10:55:44 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2008-07-24 10:55:44 +0000 |
| commit | 75f549bda4632a86c3ad5f52bb1f1224409d2346 (patch) | |
| tree | 921f33598765cf8ebefcee529c77bd5417699c75 /sys/netinet/ipsec_input.c | |
| parent | check sysctl return value (diff) | |
| download | wireguard-openbsd-75f549bda4632a86c3ad5f52bb1f1224409d2346.tar.xz wireguard-openbsd-75f549bda4632a86c3ad5f52bb1f1224409d2346.zip | |
ipsec is glued into the stack in a very weird way, violating all kinds
of expected semantics. thus, for return packets coming out of an ipsec
tunnel, we need to clear the pf state key pointer in the mbuf header
to prevent a state for encapsulated traffic to be linked to the
decapsulated traffic one.
problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some
time to understand what the hell was going on. ok ryan
Diffstat (limited to 'sys/netinet/ipsec_input.c')
| -rw-r--r-- | sys/netinet/ipsec_input.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index e64b7a715f2..93ab99fa121 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.87 2008/06/14 23:18:20 todd Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.88 2008/07/24 10:55:44 henning Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -563,6 +563,9 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* Add pf tag if requested. */ if (pf_tag_packet(m, tdbp->tdb_tag, -1)) DPRINTF(("failed to tag ipsec packet\n")); + + /* clear state key ptr to prevent incorrect linking */ + m->m_pkthdr.pf.statekey = NULL; #endif if (tdbp->tdb_flags & TDBF_TUNNELING) |